[ovs-dev] [PATCH] ofproto:fix use-after-free
Ilya Maximets
i.maximets at ovn.org
Wed Feb 24 16:10:18 UTC 2021
On 3/9/20 3:35 AM, guohongzhi (A) wrote:
> Only RCU may not be sufficient. The deletion of rule and group uses both RCU and reference accounting, but the deletion of ofproto uses only RCU.
>
> The execution process as follows:
> ofproto_destroy=>p->ofproto_class->destruct=>ofproto_rule_delete=>ofproto_rule_unref (suppose rule-A’s reference accounting not reach the last, rule-A will not be added to deffered deletion list )=>…=>ofproto_destroy(The ofproto will be added to deferred deletion list directly in the last line of the function)=>soon after,rule-A’s reference accounting reach the last, it will be added to deferred deletion list after oproto. So, ofproto will be released before the rule-A. When the rule_destroy_cb is executed, the internal access of ofproto will cause use-after-free.
>
>
> -----Original Message-----
> From: Ben Pfaff [mailto:blp at ovn.org]
> Sent: 2020年3月7日 4:58
> To: guohongzhi (A) <guohongzhi1 at huawei.com>
> Cc: dev at openvswitch.org; numans at ovn.org; Zhoujingbin (Robin, Russell Lab) <zhoujingbin at huawei.com>; chenchanghu <chenchanghu at huawei.com>; Lilijun (Jerry) <jerry.lilijun at huawei.com>
> Subject: Re: [PATCH] [ovs-dev]ofproto:fix use-after-free
>
> On Fri, Mar 06, 2020 at 09:05:55PM +0800, guohongzhi wrote:
>> ASAN report use-after-free when destroy ofproto_rule, the
>> rule->ofproto has freed in ofproto_destroy.
>> Add ref_count for ofproto to avoid use-after-free when destroy
>> ofproto_rule adn group.
>>
>> Signed-off-by: guohongzhi <guohongzhi1 at huawei.com>
>
> Why isn't RCU sufficient to avoid use-after-free?
Marking this patch as 'changes requested' in patchwork in context
of my comments to the similar patch:
http://patchwork.ozlabs.org/project/openvswitch/patch/20200717015041.82746-1-hepeng.0320@bytedance.com/#2637046
Best regards, Ilya Maximets.
More information about the dev
mailing list